21 November 2022

Hackers using Google Ads to distribute Royal ransomware


Hackers using Google Ads to distribute Royal ransomware

A new threat actor, tracked by security researchers at Microsoft as DEV-0569, is using Google ads to distribute various post-compromise payloads, including Royal ransomware, which first emerged in September 2022.

“Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation,” a new report from Microsoft’s Security Threat Intelligence team said.

Typically, the group relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments. Over the past few months, the researchers observed some changes in DEV-0569’s delivery methods, including the use of contact forms on targeted organizations’ websites to deliver phishing links, and expansion of their malvertising technique by abusing Google Ads.

The links delivered to potential victims through malicious ads, phishing emails and other means lead to malicious files signed by the attacker using a legitimate certificate.

“The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom. When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands,” Microsoft explained.

In a campaign carried out between August to October 2022, BATLOADER was delivered via fake installers for popular software like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. The malware was hosted on attacker-created domains and on legitimate repositories like GitHub and OneDrive

In another campaign, observed in September and October 2022, the threat actor was seen disabling security solutions using the open-source NSudo tool, as well as using contact forms on public websites to distribute malware, including the IcedID (BokBot) malware dropper.


Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022